diff --git a/CHANGELOG.md b/CHANGELOG.md index c33cb9b..2afac6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,20 @@ # Changelog -## 0.16.1 (Unreleased) +## 0.17.0 (Unreleased) + +BREAKING CHANGES: + +* The process to install modules has changed. You will now have to use a list variable, `nginx_modules`, instead of manually setting the modules you want to install to `true` or `false`. This change will also simplify adding future supported modules to this role. You can find a list of supported modules for NGINX and NGINX Plus in [`vars/main.yml`](https://github.com/nginxinc/ansible-role-nginx/blob/master/vars/main.yml). +* Modules can no longer be added to your NGINX config using this role. Please use the [`nginx_config`](https://github.com/nginxinc/ansible-role-nginx-config) role instead. ENHANCEMENTS: + * Update Ansible to `2.9.13` and Ansible Lint to `4.3.4`. +BUG FIXES: + +* NGINX Plus repository data for RedHat based distros is now appropriately set. + ## 0.16.0 (August 28, 2020) BREAKING CHANGES: diff --git a/README.md b/README.md index bb23e40..6a777f3 100644 --- a/README.md +++ b/README.md @@ -198,6 +198,10 @@ This role has multiple variables. The descriptions and defaults for all these va - **[defaults/main/bsd.yml](https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/bsd.yml):** BSD installation variables - **[defaults/main/unit.yml](https://github.com/nginxinc/ansible-role-nginx/blob/master/defaults/main/unit.yml):** NGINX Unit installation variables +Similarly, descriptions and defaults for preset variables can be found in the **`vars`** directory: + +- **[vars/main.yml](https://github.com/nginxinc/ansible-role-nginx/blob/master/vars/main.yml):** NGINX supported modules + Example Playbooks ----------------- diff --git a/defaults/main/main.yml b/defaults/main/main.yml index 30cf374..493a1f0 100644 --- a/defaults/main/main.yml +++ b/defaults/main/main.yml @@ -81,16 +81,28 @@ nginx_license: # Default is false. nginx_delete_license: false -# Install NGINX JavaScript, Perl, ModSecurity WAF (NGINX Plus only), GeoIP, Image-Filter, RTMP Media Streaming (NGINX Plus only), and/or XSLT modules. -# Default is false. -nginx_modules: - njs: false - perl: false - waf: false - geoip: false - image_filter: false - rtmp: false - xslt: false +# Install NGINX Modules. +# You can select any of the modules listed below. Beware of NGINX Plus only modules (these are marked). +# Default is no modules. +nginx_modules: [] + # - auth-spnego # NGINX Plus + # - brotli # NGINX Plus + # - cookie-flag # NGINX Plus + # - encrypted-session # NGINX Plus + # - geoip + # - geoip2 # NGINX Plus + # - headers-more # NGINX Plus + # - image-filter + # - lua # NGINX Plus + # - njs + # - opentracing # NGINX Plus + # - passenger # NGINX Plus + # - perl # NGINX Plus + # - prometheus # NGINX Plus + # - rtmp + # - subs-filter # NGINX Plus + # - waf # NGINX Plus + # - xslt # Remove previously existing NGINX configuration files. # You can specify a list of paths you wish to remove. diff --git a/molecule/common/playbooks/module_converge.yml b/molecule/common/playbooks/module_converge.yml index a8548fe..904979a 100644 --- a/molecule/common/playbooks/module_converge.yml +++ b/molecule/common/playbooks/module_converge.yml @@ -24,10 +24,9 @@ - /etc/nginx/conf.d/default.conf nginx_modules: - njs: true - perl: true - waf: false - geoip: true - image_filter: true - rtmp: true - xslt: true + - brotli + - geoip + - image-filter + - njs + - perl + - xslt diff --git a/tasks/main.yml b/tasks/main.yml index a0e0903..af55ef7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -31,7 +31,9 @@ - name: "(Install: All OSs) Install NGINX Modules" include_tasks: "{{ role_path }}/tasks/modules/install-modules.yml" - when: true in nginx_modules.values() + when: + - nginx_modules is defined + - nginx_modules | length > 0 tags: nginx_install_modules - name: "(Install: All OSs) Delete NGINX Plus License" diff --git a/tasks/modules/install-geoip.yml b/tasks/modules/install-geoip.yml deleted file mode 100644 index 1bc3f72..0000000 --- a/tasks/modules/install-geoip.yml +++ /dev/null @@ -1,28 +0,0 @@ ---- -- name: "(Install: CentOS) Install GeoIP Required CentOS Dependencies" - yum: - name: epel-release - when: ansible_distribution == "CentOS" - -- name: "(Install: All OSs) Install NGINX Open Source GeoIP Module" - package: - name: "nginx-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus GeoIP Module" - package: - name: "nginx-plus-module-geoip{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX GeoIP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - loop: - - load_module modules/ngx_http_geoip_module.so; - - load_module modules/ngx_stream_geoip_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-image-filter.yml b/tasks/modules/install-image-filter.yml deleted file mode 100644 index 0529857..0000000 --- a/tasks/modules/install-image-filter.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source Image Filter Module" - package: - name: "nginx-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Image Filter Module" - package: - name: "nginx-plus-module-image-filter{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Image Filter Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_image_filter_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-modules.yml b/tasks/modules/install-modules.yml index 7e2bd3f..b10cc4d 100644 --- a/tasks/modules/install-modules.yml +++ b/tasks/modules/install-modules.yml @@ -1,35 +1,32 @@ --- -- name: "(Install: All OSs) Install NGINX JavaScript Module" - include_tasks: "{{ role_path }}/tasks/modules/install-njs.yml" - when: nginx_modules.njs | default(false) - -- name: "(Install: All OSs) Install NGINX Perl Module" - include_tasks: "{{ role_path }}/tasks/modules/install-perl.yml" - when: nginx_modules.perl | default(false) - -- name: "(Install: All OSs) Install NGINX GeoIP Module" - include_tasks: "{{ role_path }}/tasks/modules/install-geoip.yml" +- name: "(Install: CentOS) Install GeoIP Required CentOS Dependencies" + yum: + name: epel-release when: - - nginx_modules.geoip | default(false) - - ansible_os_family != "RedHat" - - ansible_distribution_major_version != "8" + - ansible_distribution == "CentOS" + - '"geoip" in nginx_modules' -- name: "(Install: All OSs) Install NGINX Image Filter Module" - include_tasks: "{{ role_path }}/tasks/modules/install-image-filter.yml" - when: nginx_modules.image_filter | default(false) - -- name: "(Install: All OSs) Install NGINX RTMP Module" - include_tasks: "{{ role_path }}/tasks/modules/install-rtmp.yml" +- name: "(Install: All OSs) Install NGINX Modules" + package: + name: "nginx-{{ (nginx_type == 'plus') | ternary('plus-', '') }}module-{{ item }}{{ nginx_version | default('') }}" + state: present + loop: "{{ nginx_modules }}" when: - - nginx_modules.rtmp | default(false) - - nginx_type == "plus" - -- name: "(Install: All OSs) Install NGINX XSLT Module" - include_tasks: "{{ role_path }}/tasks/modules/install-xslt.yml" - when: nginx_modules.xslt | default(false) - -- name: "(Install: All OSs) Install NGINX WAF Module" - include_tasks: "{{ role_path }}/tasks/modules/install-waf.yml" - when: - - nginx_modules.waf | default(false) - - nginx_type == "plus" + - (item in nginx_modules_list and nginx_type == 'opensource') + or (item in nginx_plus_modules_list and nginx_type == 'plus') + - not (item == "auth-spnego") + or not (ansible_os_family == "Alpine" and (ansible_distribution_version | regex_search('^[0-9]+\\.[0-9]+') == "3.8")) + - not (item == "geoip") + or not ((ansible_os_family == "RedHat" and ansible_distribution_major_version == "8") + or (ansible_os_family == "FreeBSD")) + - not (item == "brotli") + or not ((ansible_os_family == "Alpine") + or (ansible_os_family == "RedHat" and ansible_distribution_major_version < "8") + or (ansible_os_family == "Debian" and ansible_distribution_major_version == "9") + or (ansible_os_family == "Suse" and ansible_distribution_major_version == "12") + or (ansible_distribution == "Amazon") + or (ansible_distribution == "OracleLinux")) + - not (item == "geoip2") or not (ansible_os_family == "Suse") + - not (item == "opentracing") + or not ((ansible_os_family == "Suse" and ansible_distribution_major_version == "12") + or (ansible_os_family == "RedHat" and ansible_distribution_major_version == "6")) diff --git a/tasks/modules/install-njs.yml b/tasks/modules/install-njs.yml deleted file mode 100644 index 25eaf6a..0000000 --- a/tasks/modules/install-njs.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source JavaScript Module" - package: - name: "nginx-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus JavaScript Module" - package: - name: "nginx-plus-module-njs{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX JavaScript Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: "{{ item }}" - loop: - - load_module modules/ngx_http_js_module.so; - - load_module modules/ngx_stream_js_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-perl.yml b/tasks/modules/install-perl.yml deleted file mode 100644 index 812fb45..0000000 --- a/tasks/modules/install-perl.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -- name: "(Install: All OSs) Install Perl Dependency" - package: - name: perl - state: present - -- name: "(Install: All OSs) Install NGINX Open Source Perl Module" - package: - name: "nginx-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus Perl Module" - package: - name: "nginx-plus-module-perl{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX Perl Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_perl_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-rtmp.yml b/tasks/modules/install-rtmp.yml deleted file mode 100644 index 148b218..0000000 --- a/tasks/modules/install-rtmp.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus RTMP Module" - package: - name: "nginx-plus-module-rtmp{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: All NGINX) Load NGINX RTMP Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_rtmp_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-waf.yml b/tasks/modules/install-waf.yml deleted file mode 100644 index 9fd7237..0000000 --- a/tasks/modules/install-waf.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Plus WAF Module" - package: - name: "nginx-plus-module-modsecurity{{ nginx_version | default('') }}" - state: present - -- name: "(Setup: NGINX Plus) Load NGINX Plus WAF Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_modsecurity_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/modules/install-xslt.yml b/tasks/modules/install-xslt.yml deleted file mode 100644 index 5833093..0000000 --- a/tasks/modules/install-xslt.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -- name: "(Install: All OSs) Install NGINX Open Source XSLT Module" - package: - name: "nginx-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "opensource" - -- name: "(Install: All OSs) Install NGINX Plus XSLT Module" - package: - name: "nginx-plus-module-xslt{{ nginx_version | default('') }}" - state: present - when: nginx_type == "plus" - -- name: "(Setup: All NGINX) Load NGINX XSLT Module" - lineinfile: - path: /etc/nginx/nginx.conf - insertbefore: BOF - line: load_module modules/ngx_http_xslt_filter_module.so; - when: not nginx_main_template_enable | bool - notify: "(Handler: All OSs) Reload NGINX" diff --git a/tasks/plus/setup-redhat.yml b/tasks/plus/setup-redhat.yml index e4b269b..8dbb968 100644 --- a/tasks/plus/setup-redhat.yml +++ b/tasks/plus/setup-redhat.yml @@ -4,7 +4,7 @@ name: nginx-plus baseurl: >- https://plus-pkgs.nginx.com/centos/{{ (ansible_distribution_version | float >= 7.4 and ansible_distribution_version | float < 8.0) - | ternary(ansible_distribution_major_version | int, 7.4) }}/$basearch/ + | ternary('7.4', ansible_distribution_major_version | int) }}/$basearch/ description: NGINX Plus Repository sslclientcert: /etc/ssl/nginx/nginx-repo.crt sslclientkey: /etc/ssl/nginx/nginx-repo.key @@ -18,7 +18,7 @@ yum_repository: name: nginx-plus baseurl: >- - https://plus-pkgs.nginx.com/amzn{{ (ansible_distribution_version == "2") + https://plus-pkgs.nginx.com/amzn{{ (ansible_distribution_version == '2') | ternary('2', '') }}/$releasever/$basearch description: NGINX Plus Repository sslclientcert: /etc/ssl/nginx/nginx-repo.crt diff --git a/templates/nginx.conf.j2 b/templates/nginx.conf.j2 index b7582ae..d7e4c6a 100644 --- a/templates/nginx.conf.j2 +++ b/templates/nginx.conf.j2 @@ -1,36 +1,5 @@ {{ ansible_managed | comment }} -{% if nginx_modules.njs %} -{% if nginx_http_template_enable %} -load_module modules/ngx_http_js_module.so; -{% endif %} -{% if nginx_stream_template_enable %} -load_module modules/ngx_stream_js_module.so; -{% endif %} -{% endif %} -{% if nginx_modules.perl %} -load_module modules/ngx_http_perl_module.so; -{% endif %} -{% if nginx_modules.geoip %} -{% if nginx_http_template_enable %} -load_module modules/ngx_http_geoip_module.so; -{% endif %} -{% if nginx_stream_template_enable %} -load_module modules/ngx_stream_geoip_module.so; -{% endif %} -{% endif %} -{% if nginx_modules.image_filter %} -load_module modules/ngx_http_image_filter_module.so; -{% endif %} -{% if nginx_modules.rtmp and nginx_type == "plus" %} -load_module modules/ngx_rtmp_module.so; -{% endif %} -{% if nginx_modules.xslt %} -load_module modules/ngx_http_xslt_filter_module.so; -{% endif %} -{% if nginx_modules.waf and nginx_type == "plus" %} -load_module modules/ngx_http_modsecurity_module.so; -{% endif %} user {{ nginx_main_template.user }}; worker_processes {{ nginx_main_template.worker_processes }}; diff --git a/vars/main.yml b/vars/main.yml index ed97d53..a4f6e14 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1 +1,27 @@ --- +nginx_modules_list: + - geoip + - image-filter + - njs + - perl + - xslt + +nginx_plus_modules_list: + - auth-spnego + - brotli + - cookie-flag + - encrypted-session + - geoip + - geoip2 + - headers-more + - image-filter + - lua + - modsecurity + - njs + - opentracing + - passenger + - perl + - prometheus + - rtmp + - subs-filter + - xslt